Thank you for the response. The bug you referenced seems to represents what I’m seeing. The key is successfully imported but appear to be mangled, and therefor rejected by the destination. If the bug is the issue, shouldn’t this be resolved if I’m building from libssh2 source?
Here are the additional details that align with your response. Regarding the libssh2 copy * The default version of libssh2 on Ubuntu 22.04 LTS is 1.10. https://packages.ubuntu.com/jammy/libssh2-1 * The build script is pulling down and building libssh2 version 1.11 https://github.com/libssh2/libssh2 When evaluating the linked shared object for the ssh client (ldd libguac-client-ssh.so) I see … libssh2.so.1 => /opt/guacamole/lib/libssh2.so.1 … Which aligns with the libssh2 build and the and LD_LIBRARY_PATH defined when running guacd Testing is pretty basic: The private key tested using ‘ssh -i <keyfile> user@host’. Both OPENSSH and RSA formats connect successfully. Setup test with OPENSSH Key guacd[112556]: DEBUG: Client is using protocol version "VERSION_1_5_0" guacd[112556]: DEBUG: Attempting private key import (WITHOUT passphrase) guacd[112556]: INFO: Auth key successfully imported. guacd[112556]: DEBUG: Successfully connected to host ::1, port 22 guacd[112556]: WARNING: No known host keys provided, host identity will not be verified. guacd[112556]: DEBUG: Supported authentication methods: publickey guacd[112556]: ERROR: Public key authentication failed: Callback returned error guacd[112556]: TRACE: Server completed frame 1212295887ms. guacd[112556]: INFO: User "@5d1e0899-21ff-4cd0-b92c-3f846334db9e" disconnected (0 users remain) guacd[112556]: INFO: Last user of connection "$087221f9-e159-4f7d-8935-9e8f48e42e6e" disconnected guacd[112556]: DEBUG: Requesting termination of client... Setup test with RSA Key guacd[113173]: DEBUG: Client is using protocol version "VERSION_1_5_0" guacd[113173]: DEBUG: Attempting private key import (WITHOUT passphrase) guacd[113173]: INFO: Auth key successfully imported. guacd[113173]: DEBUG: Successfully connected to host ::1, port 22 guacd[113173]: WARNING: No known host keys provided, host identity will not be verified. guacd[113173]: DEBUG: Supported authentication methods: publickey guacd[113173]: WARNING: Unable to set the timezone: SSH server refused to set "TZ" variable. guacd[113173]: DEBUG: Reconnecting for SFTP... guacd[113173]: DEBUG: Successfully connected to host ::1, port 22 guacd[113173]: WARNING: No known host keys provided, host identity will not be verified. guacd[113173]: DEBUG: Supported authentication methods: publickey guacd[113173]: DEBUG: SFTP session initialized guacd[113173]: INFO: SSH connection successful. From: Michael Jumper <mjum...@apache.org> Sent: Wednesday, February 21, 2024 12:18 PM To: user@guacamole.apache.org Subject: Re: Guacd on Ubuntu LTS 22.04 fails when using OPENSSH formated keys On 2/20/24 20: 23, Ray Smith wrote: > Unable to get a native Ubuntu build of guacd to work the same as the > docker build when it comes to OPENSSH private key format. Scripted the > build process to mimic that used by docker (building ZjQcmQRYFpfptBannerStart On 2/20/24 20:23, Ray Smith wrote: > Unable to get a native Ubuntu build of guacd to work the same as the > docker build when it comes to OPENSSH private key format. Scripted the > build process to mimic that used by docker (building dependencies), > using Ubuntu 20.04 LTS and Ubuntu 22.04 LTS as the native base. Still > no luck with OPENSSH formatted keys. > > https://urldefense.com/v3/__https://github.com/RaySmith1/ubuntu-guacd-build/blob/main/build.sh__;!!AMCWqqRremt4Wx4!Qn2LvltHoZ8JYPsrjM-8e7GMrG1NyY6lpMNI6_IOTUPnho4sdNk8su7EarHwVA0RAQnJiDfmoiMQ3mw$<https://urldefense.com/v3/__https:/github.com/RaySmith1/ubuntu-guacd-build/blob/main/build.sh__;!!AMCWqqRremt4Wx4!Qn2LvltHoZ8JYPsrjM-8e7GMrG1NyY6lpMNI6_IOTUPnho4sdNk8su7EarHwVA0RAQnJiDfmoiMQ3mw$> > > > I think I understand that the standard of PKCS#1 RSA (and PKCS#8?) are > supported. But I found references that call out any keys that SSH > supports can be stored as OPENSSH key format and those can be > loaded/unloaded without relying on SSL/TLS library. If the goal of > OPENSSH key format was to eliminate the need for external libraries why > specifically does the docker version appears to support the use of > OPENSSH keys while the native Ubuntu version does not. What is > necessary to support OPENSSH keys with the native Ubuntu builds? > Guacamole inherits its support for SSH keys from libssh2. If the version of libssh2 installed supports a particular key format, then so does Guacamole if built against that version of libssh2. There is nothing within Guacamole itself that adds/removes support for any particular type of key. I'm not sure what you're referring to regarding eliminating the need for libraries. Introducing a new format of key doesn't eliminate the need for libraries to decode that new format of key; it requires that libraries like libssh2 that already support the older format of key must now also implement support for the new format. The version of libssh2 that introduced support for OpenSSH's new key format was 1.9.0, while the version of Guacamole that introduced support for using purely libssh2 to read these keys was 1.5.0: https://urldefense.com/v3/__https://guacamole.apache.org/releases/1.5.0/*ecc-keys__;Iw!!AMCWqqRremt4Wx4!Qn2LvltHoZ8JYPsrjM-8e7GMrG1NyY6lpMNI6_IOTUPnho4sdNk8su7EarHwVA0RAQnJiDfmORNVNCs$<https://urldefense.com/v3/__https:/guacamole.apache.org/releases/1.5.0/*ecc-keys__;Iw!!AMCWqqRremt4Wx4!Qn2LvltHoZ8JYPsrjM-8e7GMrG1NyY6lpMNI6_IOTUPnho4sdNk8su7EarHwVA0RAQnJiDfmORNVNCs$> If you are certain that what you're building is recent enough, then you should have the necessary support, and I'm not sure why things would be failing. Logs might help. The only possibilities that come to mind are: * There might be a copy of libssh2 present from an Ubuntu package taking precedence over the version you're manually building. * There is a known issue with libssh2 that causes reading a key to fail which has since been fixed ... but that fix has not yet been released by libssh2: https://urldefense.com/v3/__https://github.com/libssh2/libssh2/issues/773__;!!AMCWqqRremt4Wx4!Qn2LvltHoZ8JYPsrjM-8e7GMrG1NyY6lpMNI6_IOTUPnho4sdNk8su7EarHwVA0RAQnJiDfmAK-Zpjk$<https://urldefense.com/v3/__https:/github.com/libssh2/libssh2/issues/773__;!!AMCWqqRremt4Wx4!Qn2LvltHoZ8JYPsrjM-8e7GMrG1NyY6lpMNI6_IOTUPnho4sdNk8su7EarHwVA0RAQnJiDfmAK-Zpjk$>. Variation between the libc used by Alpine (our Docker images) and Ubuntu (your build) might make that issue less likely to occur in the Alpine case. - Mike --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org<mailto:user-unsubscr...@guacamole.apache.org> For additional commands, e-mail: user-h...@guacamole.apache.org<mailto:user-h...@guacamole.apache.org> ******************************************************************* IMPORTANT MESSAGE FOR RECIPIENTS IN THE U.S.A.: This message may constitute an advertisement of a BD group's products or services or a solicitation of interest in them. If this is such a message and you would like to opt out of receiving future advertisements or solicitations from this BD group, please forward this e-mail to optoutbygr...@bd.com. [BD.v1.0] ******************************************************************* This message (which includes any attachments) is intended only for the designated recipient(s). It may contain confidential or proprietary information and may be subject to the attorney-client privilege or other confidentiality protections. If you are not a designated recipient, you may not review, use, copy or distribute this message. If you received this in error, please notify the sender by reply e-mail and delete this message. Thank you. ******************************************************************* Corporate Headquarters Mailing Address: BD (Becton, Dickinson and Company) 1 Becton Drive Franklin Lakes, NJ 07417 U.S.A.
